Add SwissSign SHA2 root certificate(s)

RESOLVED WONTFIX

Status

--
enhancement
RESOLVED WONTFIX
4 years ago
a month ago

People

(Reporter: cornelia.enke, Assigned: kwilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [ca-denied] Comment #47 - submit new roots in new bug)

Attachments

(9 attachments, 4 obsolete attachments)

(Reporter)

Description

4 years ago
Created attachment 8576325 [details]
SwissSign-EV-SSL-Certificate-2013-2014-FINAL.pdf

CA Details
----------

CA Name: Swiss Sign
Website: https://swisssign.com
One Paragraph Summary of CA, including the following:
 - General nature (e.g., commercial, government, academic/research, nonprofit)
 - Primary geographical area(s) served

Audit Type (WebTrust, ETSI etc.): ETSI TS 102042 and ETSI TS 101456 and ZertES (Swiss Signature Law)
Auditor: KPMG
Auditor Website: http://www.kpmg.com/ch/de/seiten/default.aspx
Audit Document URL(s): please refer attachment
Certificate Details:

Platinum
Subject name: / CN= SwissSign Platinum Root CA - G3/ O=SwissSign AG / C=CH
Friendly name: SwissSign Platinum Root CA – G3
Validity date: ‎ ‎4. ‎August ‎2009 14:34:04 until  ‎4. ‎August ‎2037 14:34:04
Thumbprint: ‎a1 e7 c6 00 aa 41 70 e5 b7 4b c9 4f 9b 97 03 ed c2 61 b4 b9
Desired extended key usage: Secure Email, Server Authentication, Client Authentication, Code Signing, Time Stamping

CP: http://repository.swisssign.com/SwissSign-Platinum-CP-CPS.pdf
EUA: http://repository.swisssign.com/SwissSign-Platinum-EUA-R4.pdf

Subordinate CAs - see CP/CPS Chapter 1.1

CRL issuing frequency for subordinate end-entity certificates:  6h
CRL issuing frequency for subordinate CA certificates: on event at least 6 month

Certificate download URL (on CA website): https://swisssign.net/cgi-bin/authority/download
Public key length (for RSA, modulus length) in bits: 4096 Bit


Class: DV/identity/organizationally-validated


Gold
Subject name: / CN= SwissSign Gold Root CA - G3/ O=SwissSign AG / C=CH
Friendly name: SwissSign Gold Root CA – G3
Validity date:  ‎4. ‎August ‎2009 14:31:47 until ‎ ‎4. ‎August ‎2009 14:31:47
Thumbprint: 0b 71 99 a1 c7 f3 ad df 7b a7 ea b8 eb 57 4a e8 0d 60 dd de
Desired extended key usage: Secure Email, Server Authentication, Client Authentication, Code Signing


CP: http://repository.swisssign.com/SwissSign-Gold-CP-CPS.pdf
EUA: https://www.swisssign.com/documents/SwissSign-Gold-EUA-R4.pdf

Subordinate CAs - see CP/CPS Chapter 1.1

CRL issuing frequency for subordinate end-entity certificates:  6h
CRL issuing frequency for subordinate CA certificates: on event at least 6 month

Certificate download URL (on CA website): https://swisssign.net/cgi-bin/authority/download
Public key length (for RSA, modulus length) in bits: 4096 Bit


Class: Class: DV/identity/EV




Silver
Subject name: / CN=SwissSign Silver  Root CA – G3 / O=SwissSign AG / C=CH
Friendly name: SwissSign Silver Root CA – G3
Validity date: 4. ‎August ‎2009 14:19:14 until 4. ‎August ‎2037 14:19:14
Thumbprint: ‎8d 08 fc 43 c0 77 0c a8 4f 4d cc b2 d4 1a 5d 95 6d 78 6d c4
Desired extended key usage: Secure Email, Server Authentication, Client Authentication, Code Signing


CP: http://repository.swisssign.com/SwissSign-Silver-CP-CPS.pdf
EUA: https://www.swisssign.com/documents/SwissSign-Silver-EUA-R3.pdf

Subordinate CAs - see CP/CPS Chapter 1.1

CRL issuing frequency for subordinate end-entity certificates:  6h
CRL issuing frequency for subordinate CA certificates: on event at least 6 month

Certificate download URL (on CA website): https://swisssign.net/cgi-bin/authority/download
Public key length (for RSA, modulus length) in bits: 4096 Bit


Class: Class: DV
(Assignee)

Comment 2

4 years ago
Begging the Information Verification process:
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: EV - Information Incomplete
(Assignee)

Comment 3

4 years ago
The currently-included SHA-1 roots are:
SwissSign Gold CA - G2 [Trust Bits: Websites;Email;Code] 
SwissSign Platinum CA - G2 [Trust Bits: Email;Code] 
SwissSign Silver CA - G2 [Trust Bits: Websites;Email;Code]  

For the SHA-2 roots, do you want to keep the same trust bits as the SHA-1 roots?
(Assignee)

Comment 4

4 years ago
For each of the SwissSign Gold CA - G3 and SwissSign Silver CA - G3 roots, please provide the url to a website whose SSL cert chains up to the root. If you are requesting EV treatment for the Gold-G3 root, then please make sure the website's SSL cert is EV.  Note that the websites may either be test websites or actual (in-use) websites.

For the SwissSign Platinum CA - G2 root, please attach (to this bug) an example/test cert that chains up to the root.
(Assignee)

Comment 5

4 years ago
Created attachment 8580401 [details]
Intial CA Information Document

The attached document shows the information that has been verified, and where further information or clarification is needed. Please review the entire document for accuracy, and update this bug to provide corrections and the requested information.
(Assignee)

Comment 6

3 years ago
Created attachment 8680826 [details]
1142323-Initial-CAInformation.pdf

Updated the CA Information document because Mozilla is no longer enabling the Code Signing trust bit for root certificates.
Reference: https://groups.google.com/d/msg/mozilla.dev.security.policy/004uvRRnVyY/UAU7adNMBAAJ
Attachment #8580401 - Attachment is obsolete: true
(Assignee)

Comment 7

3 years ago
The status of this request is that we are still waiting for the CA to review the attached CA Information document and provide the requested information (search for NEED in the CAInformation.pdf document).
(Assignee)

Comment 8

3 years ago
Created attachment 8734150 [details]
1142323-CAInformation.pdf

Please review the attached document, and add comments in this bug to provide the additional requested information (search for NEED in the attached document).
(Assignee)

Comment 9

2 years ago
Created attachment 8797281 [details]
Questionaire_Mozilla_20160922.pdf
(Assignee)

Comment 10

2 years ago
Aaron and Francis, please complete the Information Verification for this request -- see the attachment in Comment #9 for the CA's updated information.
(Reporter)

Comment 11

2 years ago
What I have to do that the Information will be verified?
(Reporter)

Comment 12

2 years ago
Created attachment 8818811 [details]
18-03-2016-SwissSign-EV-SSL-Certific-Confirmation-2016_VI_FINAL_signed (mit 1 Signatur).pdf
Attachment #8576325 - Attachment is obsolete: true
(Assignee)

Updated

2 years ago
Assignee: kwilson → awu

Comment 13

2 years ago
Hi Corneia,

We are working on information verification based on Comment#12, please stay tuned.

Thanks,
Aaron

Updated

2 years ago
Whiteboard: EV - Information Incomplete → [ca-verification] - EV

Comment 14

2 years ago
Created attachment 8843869 [details]
SwissSign_SHA2_20170305.pdf

Comment 15

2 years ago
Hi,

We've done of 2nd round of Information Verification, please see the verified CA document as Comment#14 and see if all information are correct.

Highlight here, there are still few info. below need you to provide:

1. SwissSign Gold Root CA - G3
- Test Website - Expired
- Test Website - Revoked

2. SwissSign Platinum Root CA - G3
- Test Website - Valid
- Test Website - Expired
- Test Website - Revoked

Note : CA Browser Forum section 2.2: “The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates that are (i) valid, (ii) revoked, and (iii) expired.”

Once all information are verified and the data above you provided, we can ready to move it to next stage.

Thanks for your patient and cooperation!

Regards,
Aaron
(Reporter)

Comment 16

2 years ago
HI,



1. SwissSign Gold Root CA - G3
https://gold-g3-valid-cert-demo.swisssign.net
https://gold-g3-expired-cert-demo.swisssign.net
https://gold-g3-revoked-cert-demo.swisssign.net

2. SwissSign Silver Root CA - G3
https://silver-g3-valid-cert-demo.swisssign.net
https://silver-g3-expired-cert-demo.swisssign.net
https://silver-g3-revoked-cert-demo.swisssign.net

3. SwissSign Platinum Root CA - G3 - is issuing  qualified Certificates for Individuals and legal Entities and no certificates for Webservers


Regards Conny

Comment 17

2 years ago
Created attachment 8844295 [details]
1142323-CAInformation-Complete.pdf

Comment 18

2 years ago
Hi,

The information verification is completed, please see the attachment as Comment#17. If no problem with all information, It is ready for public discussion.
(Reporter)

Comment 19

2 years ago
Hi Aaron 

please rplace the following section:

SwissSign operates an Issuing CA for the Swiss
Post. SwissSign also provides managed PKI
services. Registration Services may be used
internationally.



SwissSign operates as Issuing CA for public trusted certificates (PTC). 
SwissSign also provides managed PKI
services. Registration Services may be used
internationally.

Comment 20

2 years ago
Hi,

Updated "Primary Market / Customer Base" as comment#19.

This request is ready for Public Discussion if no other quesiton.

Kind regards,
Aaron
(Reporter)

Comment 21

2 years ago
thanks - please put it to the public discussion.

What is the estimeted time for public discussion?

Kind Regards,
Conny

Updated

2 years ago
Whiteboard: [ca-verification] - EV → [ca-ready-for-discussion 2017-03-16] -- EV

Comment 22

2 years ago
Hi Conny,

The following wiki shows the timeline that it takes to complete each of the phases of the root inclusion process for a CA, please for reference.

https://wiki.mozilla.org/CA:How_to_apply#Timeline

Kind regards,
Aaron
(Reporter)

Comment 23

2 years ago
Hi Aaron,

I can´t find SwissSign on the public Discussion List?
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
I am are on th right site?

Kind Regards Conny
(Reporter)

Comment 24

2 years ago
Created attachment 8853299 [details]
29-03-2017-SwissSign-Confirmation-2017_Final_lli.pdf

This is the new Audit conformation for 2017
Attachment #8818811 - Attachment is obsolete: true
(Assignee)

Comment 25

2 years ago
(In reply to Corneia Enke from comment #23)
> Hi Aaron,
> 
> I can´t find SwissSign on the public Discussion List?
> https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
> I am are on th right site?
> 
> Kind Regards Conny


The queue for discussion has been moved here:
https://wiki.mozilla.org/CA/Dashboard#Ready_for_Public_Discussion
(Assignee)

Comment 26

2 years ago
Cornelia,
Please perform the BR Self Assessment, and attach the resulting BR-self-assessment document to this bug.

Note:
Current version of the BRs: https://cabforum.org/baseline-requirements-documents/
Until a version of the BRs is published that describes all of the allowed methods of domain validation, use version 1.4.1 for section 3.2.2.4 (Domain validation): https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf

= Background = 

We are adding a BR-self-assessment step to Mozilla's root inclusion/change process.

Description of this new step is here:
https://wiki.mozilla.org/CA:BRs-Self-Assessment

It includes a link to a template for CA's BR Self Assessment, which is a Google Doc:
https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing

Phase-in plan is here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/Y-PxWRCIcck/Fi9y6vOACQAJ
In particular, note:
+ For the CAs currently in the queue for discussion, I would ask them to perform this BR Self Assessment before I would start their discussion.
Whiteboard: [ca-ready-for-discussion 2017-03-16] -- EV → [ca-ready-for-discussion 2017-03-16] -- EV -- - Need BR Self Assessment
(Assignee)

Comment 27

2 years ago
(In reply to Corneia Enke from comment #24)
> Created attachment 8853299 [details]
> 29-03-2017-SwissSign-Confirmation-2017_Final_lli.pdf
> 
> This is the new Audit conformation for 2017

I am concerned about a few things I see in this audit statement:

1) "KPMG has performed a point in time audit. The reference date is 8 March 2017."

Mozilla needs an annual period-of-time assessment, per section 8.1 of the Baseline Requirements:
"The period during which the CA issues Certificates SHALL be divided into an unbroken sequence of audit periods. An audit period MUST NOT exceed one year in duration."

A single point-in-time audit is not sufficient for the required annual audit.

2) "We were not engaged to and did not conduct an examination, the objective of which would be the expression of an opinion on the Application for Extended Validation (EV) Certificate. "

What does that mean?


3) "Accordingly, we do not express such an opinion. Had we performed additional procedures, other matters might have come to our attention that would have been reported to you."

What exactly is this referring to? What additional procedures did not get evaluated?

Updated

2 years ago
Product: mozilla.org → NSS
(Reporter)

Comment 28

2 years ago
Created attachment 8864741 [details]
SwissSignAG_CA_BR_Self_Assessment_Q2_2017.pdf
(Reporter)

Comment 29

2 years ago
(In reply to Kathleen Wilson from comment #26)
> Cornelia,
> Please perform the BR Self Assessment, and attach the resulting
> BR-self-assessment document to this bug.
> 
> Note:
> Current version of the BRs:
> https://cabforum.org/baseline-requirements-documents/
> Until a version of the BRs is published that describes all of the allowed
> methods of domain validation, use version 1.4.1 for section 3.2.2.4 (Domain
> validation):
> https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf
> 
> = Background = 
> 
> We are adding a BR-self-assessment step to Mozilla's root inclusion/change
> process.
> 
> Description of this new step is here:
> https://wiki.mozilla.org/CA:BRs-Self-Assessment
> 
> It includes a link to a template for CA's BR Self Assessment, which is a
> Google Doc:
> https://docs.google.com/spreadsheets/d/
> 1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing
> 
> Phase-in plan is here:
> https://groups.google.com/d/msg/mozilla.dev.security.policy/Y-PxWRCIcck/
> Fi9y6vOACQAJ
> In particular, note:
> + For the CAs currently in the queue for discussion, I would ask them to
> perform this BR Self Assessment before I would start their discussion.

--> File uploaded on 05th of Mai 2017

Comment 30

2 years ago
Hi Corneia,

Thanks to provide BR Self Assessment, that is very helpful to make it moving forward.

We will review/verify BR Self Assessment, update in Salesforce, and sooner start the public discussion.

Please stay tuned, thank you!


Kind regards,
Aaron

Updated

2 years ago
Whiteboard: [ca-ready-for-discussion 2017-03-16] -- EV -- - Need BR Self Assessment → [ca-ready-for-discussion 2017-03-16] -- EV - BR Self Assessment Completed
(Reporter)

Comment 31

a year ago
Created attachment 8867669 [details] [diff] [review]
10-05-2017-SwissSign-Confirmation-2017.pdf

improvings on the Attestation letter based on the Input from Mozilla
Attachment #8853299 - Attachment is obsolete: true
(Assignee)

Comment 32

a year ago
I still need a response to Comment 27.
(Assignee)

Comment 33

a year ago
(In reply to Corneia Enke from comment #31)
> Created attachment 8867669 [details] [diff] [review]
> 10-05-2017-SwissSign-Confirmation-2017.pdf
> 
> improvings on the Attestation letter based on the Input from Mozilla

I can't seem to view the document. Please try to attach it again.

Comment 34

a year ago
Created attachment 8867948 [details]
10-05-2017-SwissSign-Confirmation-2017.pdf

re #33 - try this
(Assignee)

Comment 35

a year ago
(In reply to Andrew Whalley from comment #34)
> Created attachment 8867948 [details]
> 10-05-2017-SwissSign-Confirmation-2017.pdf
> 
> re #33 - try this

Thanks, Andrew!


Considering the updated audit statement in regards to my previous comments...


(In reply to Kathleen Wilson from comment #27)
> (In reply to Corneia Enke from comment #24)
> > Created attachment 8853299 [details]
> > 29-03-2017-SwissSign-Confirmation-2017_Final_lli.pdf
> > 
> > This is the new Audit conformation for 2017
> 
> I am concerned about a few things I see in this audit statement:
> 
> 1) "KPMG has performed a point in time audit. The reference date is 8 March
> 2017."
> 
> Mozilla needs an annual period-of-time assessment, per section 8.1 of the
> Baseline Requirements:
> "The period during which the CA issues Certificates SHALL be divided into an
> unbroken sequence of audit periods. An audit period MUST NOT exceed one year
> in duration."
> 
> A single point-in-time audit is not sufficient for the required annual audit.
> 

In the updated audit statement, the phrase "Point in Time" was removed, and replaced with:
"Our certification audit field work commenced on 9 January 2017 and was completed on 8 March 2017".

I do not understand what that means with respect to the audit period. 
Was certificate issuance only observed for those two days? 
Or was there an assessment of the certificates that had been issued over the prior year?
If the later, then what were the audit period start and end dates?

For a definition of "audit period" see section 1.6.1 of
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.8.pdf


> 2) "We were not engaged to and did not conduct an examination, the objective
> of which would be the expression of an opinion on the Application for
> Extended Validation (EV) Certificate. "
> 
> What does that mean?
> 

That was removed in the updated audit statement. 
So, was the EVCP policy evaluated for some of the listed root certificates?
If yes, which root certificates?

> 
> 3) "Accordingly, we do not express such an opinion. Had we performed
> additional procedures, other matters might have come to our attention that
> would have been reported to you."
> 
> What exactly is this referring to? What additional procedures did not get
> evaluated?

That was removed in the updated audit statement, but it is still not clear to me which root certificates were evaluated according to the DVCP, PTC-BR, EVCP, LCP, NCP policies/criteria, and the period of time over which those CA hierarchies were evaluated.
(Reporter)

Comment 36

a year ago
(In reply to Kathleen Wilson from comment #27)
>> >  29-03-2017-SwissSign-Confirmation-2017_Final_lli.pdf
>> > 
> >  This is the new Audit conformation for 2017
>> 
>>  I am concerned about a few things I see in this audit statement:
>> 
>>  1) "KPMG has performed a point in time audit. The reference date is 8 March
> > 2017."
> >
> > Mozilla needs an annual period-of-time assessment, per section 8.1 of the
> > Baseline Requirements:
> > "The period during which the CA issues Certificates SHALL be divided into an
> > unbroken sequence of audit periods. An audit period MUST NOT exceed one year
> > in duration."
> >
> > A single point-in-time audit is not sufficient for the required annual audit.
> >

> In the updated audit statement, the phrase "Point in Time" was removed, and replaced with:
> "Our certification audit field work commenced on 9 January 2017 and was completed on 8 March > 2017".

> I do not understand what that means with respect to the audit period. 
> Was certificate issuance only observed for those two days? 
> Or was there an assessment of the certificates that had been issued over the prior year?
> If the later, then what were the audit period start and end dates?

> For a definition of "audit period" see section 1.6.1 of
> https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.8.pdf

“KPMG performs continuous PKI audits for SwissSign AG and has executed a main certification audit in year 2017 (surveillance certification audits against the mandatory standardizations listed in the following section are scheduled for 2018).”


Sorry, the precise formulation in the English language is probably not quite successful here.
The audit period is the timeframe between the last and the new Audit Report.
In the Report itself the timeframe for doing the inspections onsite is described. Generally KPMG inspects samples selected from the whole year’s process.


>> 2) "We were not engaged to and did not conduct an examination, the objective
>> of which would be the expression of an opinion on the Application for
>> Extended Validation (EV) Certificate. "
>> 
>> What does that mean?
>> 
>That was removed in the updated audit statement. 
>So, was the EVCP policy evaluated for some of the listed root certificates?
>If yes, which root certificates?

The auditor complies with the Swiss law ZertES (which does not include the EV certificates) and on the other hand according to ETSI (which includes all requirements of the CA Browser Forum to the EV certificates). Unfortunately the sentence in the first version was mistakenly taken from the perspective of ZertES Audit and therefore deleted for the ETSI Audit report in the last version. The audit comprised of cause the full audit also for the EVCP policy of the following roots:
Gold Root G2           
Gold Root G3

>>  
>>  3) "Accordingly, we do not express such an opinion. Had we performed
>>  additional procedures, other matters might have come to our attention that
>>  would have been reported to you."
> >
> > What exactly is this referring to? What additional procedures did not get
> > evaluated?


>That was removed in the updated audit statement, but it is still not clear to me which root certificates >were evaluated according to the DVCP, PTC-BR, EVCP, LCP, NCP policies/criteria, and the period of time >over which those CA hierarchies were evaluated.

The original sentence was probably intended as a guarantee to the auditor that they always rely on exemplary examples in the evaluation. Since, according to Swiss law, the auditor is fully liable for a defective audit of a certification body, the auditor is always inclined to choose the wording carefully. In doing so, they wanted to point out that even a thorough audit can always provide a situation in which points are overlooked. However, since this is a fundamental problem of any audit, this sentence was omitted in the new version. As a full ETSI based evaluation it was done in regard to the CP/CPS for the following CA and the following policies: 
SwissSign Platinum G2 - NCP+  (http://repository.swisssign.com/SwissSign-Platinum-CP-CPS.pdf)
SwissSign Gold G2 – EVCP, NCP, DVCP, PTC-BR (http://repository.swisssign.com/SwissSign-Gold-CP-CPS.pdf)
SwissSign Silver G2 – LCP, PTC-BR (http://repository.swisssign.com/SwissSign-Silver-CP-CPS.pdf)

SwissSign Platinum G3 - NCP+(http://repository.swisssign.com/SwissSign-Platinum-CP-CPS.pdf)
SwissSign Gold G3 – EVCP, NCP, DVCP, PTC-BR (http://repository.swisssign.com/SwissSign-Gold-CP-CPS.pdf)
SwissSign Silver G3 – LCP, PTC-BR (http://repository.swisssign.com/SwissSign-Silver-CP-CPS.pdf)
(Assignee)

Updated

a year ago
Depends on: 1374381
(Assignee)

Comment 39

8 months ago
My understanding is that this request is for inclusion of the following three root certificates:

1) SwissSign Gold Root CA - G3
Trust Bits: Websites (TLS/SSL), Email (S/MIME)
EV Treatment: Yes
Audit Statements: Yes, see Comment #37.

2) SwissSign Silver Root CA - G3
Trust Bits: Websites (TLS/SSL), Email (S/MIME)
EV Treatment: No
Audit Statements: Need period-of-time audit statements (standard and BR) for 2016 and 2017

3) SwissSign Platinum Root CA - G3
Trust Bits: Email (S/MIME)
EV Treatment: No
Audit Statements: Need period-of-time audit statements for 2016 and 2017


Cornelia, If you are still requesting inclusion of the 'SwissSign Silver Root CA - G3' and 'SwissSign Platinum Root CA - G3', then please provide the corresponding audit statements for 2016 and 2017.
(Assignee)

Comment 40

7 months ago
Unless I hear otherwise, I'll refer to the following audit statements.

SwissSign Silver Root CA - G3

https://bug343756.bmoattachments.org/attachment.cgi?id=8781268
Date on statement: 18 March 2016
"KPMG has executed a main certification audit in year 2013, and surveillance certification audits in 2014 and 2015 against the mandatory standardizations listed in the following section (specified information/procedure/results)." ...
"ETSI TS 102 042 V2.4.1 or later (DVCP and PTC-BR  policies)"
and
"ETSI TS 102 042 V2.4.1 or later (LCP and NCP policies)"
This audit lists all three of these root certs.

https://bug1142323.bmoattachments.org/attachment.cgi?id=8867948
Date on statement: 10 Mai 2017
"KPMG performs continuous PKI audits for SwissSign AG and has executed a main certification audit in year 2017"
"ETSI TS 102 042 V2.4.1 or later (DVCP and PTC-BR  policies)"
and
"ETSI TS 102 042 V2.4.1 or later (LCP and NCP policies)"
This audit lists all three of these root certs.
(Assignee)

Comment 41

7 months ago
Created attachment 8956665 [details]
1142323-CA-Information-March6-2018.pdf
(Assignee)

Comment 42

7 months ago
This root inclusion request is ready for the Detailed CP/CPS Review phase, step 3 of
https://wiki.mozilla.org/CA/Application_Process#Process_Overview
so assigning this bug to Wayne.
Assignee: kwilson → wthayer
Whiteboard: [ca-ready-for-discussion 2017-03-16] -- EV - BR Self Assessment Completed → [ca-cps-review] - KW 2018-03-06
(Assignee)

Comment 43

7 months ago
Upon further consideration I realized that the audit statements for two of these root certs are not period-of-time audits, so they do not meet Mozilla's requirements. So moving this request back to 'Information Verification' phase until the CA updates this bug with:
Option A: complete period-of-time audits for all three root certs
Option B: change this request to be only for inclusion of the 'SwissSign Gold Root CA – G3' root cert.

Details:

1) SwissSign Gold Root CA – G3
SHA-256 Fingerprint   
7A:F6:EA:9F:75:3A:1E:70:9B:D6:4D:0B:EB:86:7C:11:E8:C2:95:A5:6E:24:A6:E0:47:14:59:DC:CD:AA:15:58
Audit: https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/de/AA2017113002_Browser_Audit_Atesttation_s.pdf
Audit period: 10-October-2016 to 9-October-2017
The audit statement for this root appears to be OK. I think we could proceed with the inclusion process for this root, if the CA would like to change this request to be just for this root.

2) SwissSign Platinum Root CA - G3
SHA-256 Fingerprint   
59:B3:82:9F:1F:F4:43:34:49:58:FA:E8:BF:F6:21:B6:84:C8:48:CF:BF:7E:AD:6B:63:A6:CA:50:F2:79:4F:89
Not currently included in Mozilla's program.
Inclusion Request: https://bugzilla.mozilla.org/show_bug.cgi?id=1142323#c40
Audit: https://bugzilla.mozilla.org/attachment.cgi?id=8861552
Audit Period: None!
I think this was a surveillance audit with no period-of-time assessment, so this does not meet Mozilla's audit requirements.

3) SwissSign Silver Root CA – G3
SHA-256 Fingerprint   
1E:49:AC:5D:C6:9E:86:D0:56:5D:A2:C1:30:5C:41:93:30:B0:B7:81:BF:EC:50:E5:4A:1B:35:AF:7F:DD:D5:01
Audit Period: None!
I think this was a surveillance audit with no period-of-time assessment, so this does not meet Mozilla's audit requirements.
Assignee: wthayer → kwilson
Whiteboard: [ca-cps-review] - KW 2018-03-06 → [ca-verifying] - Need Period-of-time audits
Reference bug 1374381 for more information on audit issues affecting these roots.

The new 2018 audit statement for the Silver G3 root is point-in-time, and thus not acceptable:

https://it-tuv.com/wp-content/uploads/2018/07/AA2018070304_Audit_Attestation_TA_CERT__SwissSign_Silver_G3_signed.pdf
(Reporter)

Comment 45

3 months ago
The statement is correct. Since the Silver, Gold and Platinum CA G3 is not yet included in all Root Stores, we do not issue any certificates for our customers under the G3 CA hierarchy to date. This in turn means that no application documents and issued certificates for end users can be considered for these certificate types. According to this fact we have a point in time statement for the G3 CA hierarchy. 
As soon as the G3 is also included in Mozilla, we can switch our certificate products to the G3 generation certificates. SwissSign will then perform a corresponding audit with TüV Trust IT after 3 months to complete the corresponding period in time audit.

When the issuing CAs for the SwissSign products are switched from the G2 to the G3 root , the application and verification processes established by SwissSign remain the same and will not be changed. This will be proven by the audit (period in time) as stated above.

Best Regards Cornelia Enke
Mozilla policy requires contiguous audits (section 3.1.3) and states "Before being included, CAs MUST provide evidence that their CA certificates have continually, from the time of creation, complied with the then-current Mozilla Root Store Policy and Baseline Requirements." (section 7.1). CAs typically achieve this by including rollover roots on the same audit statements as their existing roots. In this case, we have a set of roots that are being audited separately and do not have contiguous audits that attest to their compliance from the time they were created. A PIT audit is not sufficient. This is similar to the OISTE WiseKey situation discussed in the following thread, and resulting in WiseKey needing to perform a period-of-time audit: https://groups.google.com/d/msg/mozilla.dev.security.policy/E1u_JDFsk3o/LAEOacJZCwAJ
(Assignee)

Comment 47

a month ago
Here is my understanding of the audit history for these G3 roots, which all have Valid From set to August 4, 2009.

SwissSign Gold Root CA - G3
SHA-256 Fingerprint: 7AF6EA9F753A1E709BD64D0BEB867C11E8C295A56E24A6E0471459DCCDAA1558
Current Audit:
https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/de/AA2017113002_Browser_Audit_Atesttation_s.pdf
Audit Statement Date: 11/30/2017
Audit Period Start: 10/10/2016
Audit Period End: 10/9/2017
** This was the first period-of-time audit for this root.
** Both the Websites and Email trust bits requested for this root.

SwissSign Silver Root CA - G3
SHA-256 Fingerprint: 1E49AC5DC69E86D0565DA2C1305C419330B0B781BFEC50E54A1B35AF7FDDD501
Current Audit:
https://it-tuv.com/wp-content/uploads/2018/07/AA2018070304_Audit_Attestation_TA_CERT__SwissSign_Silver_G3_signed.pdf
Audit Statement Date: 7/3/2018
The audit statement says: "For this Root CA and Sub CA, the audit has been performed as point in time audit as these do not yet issue certificates to end entities."
** Both the Websites and Email trust bits requested for this root.

SwissSign Platinum Root CA - G3
SHA-256 Fingerprint: 59B3829F1FF443344958FAE8BFF621B684C848CFBF7EAD6B63A6CA50F2794F89
Audit:
https://it-tuv.com/wp-content/uploads/2018/07/AA2018070302_Audit_Attestation_TA_CERT__SwissSign_Platinum_G3_signed.pdf
Audit Statement Date: 7/3/2018
The audit statement says: "For this Root CA and Sub CA, the audit has been performed as point in time audit as these do not yet issue certificates to end entities."
** Only the Email trust bit requested for this root, so the BRs do not apply. However, Mozilla's Root Store Policy still does apply.

As Wayne pointed out in Comment #46, the audit history that has been provided for these G3 root certificates does not meet the requirements of Mozilla's root store policy.

Therefore, I think it is unlikely that these G3 root certificates would be approved for inclusion in Mozilla's root store. As such, I am going to deny this request to include these G3 root certificates.

SwissSign may submit a new root inclusion request, by creating a new Bugzilla Bug, for inclusion of newer root certs that fully comply (from creation) with the requirements of Mozilla's Root Store Policy and the BRs.

Reference: https://wiki.mozilla.org/CA/Application_Process
Status: ASSIGNED → RESOLVED
Last Resolved: a month ago
Resolution: --- → WONTFIX
Whiteboard: [ca-verifying] - Need Period-of-time audits → [ca-denied] Comment #47 - submit new roots in new bug
You need to log in before you can comment on or make changes to this bug.